Guest

Cisco AnyConnect Secure Mobility Client

AnyConnect over IKEv2 to ASA with AAA and Certificate Authentication

Cisco - AnyConnect over IKEv2 to ASA with AAA and Certificate Authentication

Document ID: 113692

Updated: Oct 10, 2012

Contributed by Marcin Latosiewicz, Cisco TAC Engineer.

   Print

Introduction

This document provides information on how to make a connection from a PC to an Adaptive Security Appliance (ASA) using AnyConnect IPsec (IKEv2), and utilizing both certificate and AAA authentication.

The example in this document is not meant to show a full configuration, only relevant parts to obtain IKEv2 connection between the ASA and AnyConnect. NAT or access-list configuration is not discussed or needed in this document.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • ASA 8.4

  • AnyConnect 3.x

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

What you will need

Certificates with proper EKU

Although strictly speaking not required by ASA and AnyConnect combination, it is important to note that RFC requires certificates to have Extended Key Usage (EKU).

  • Certificate for ASA (contains server-auth EKU)

  • Certificate for PC (contains client-auth EKU)

Note: A Cisco IOS router with the recent software revision can put EKU on certificates.

ASA side configuration

Note: ASDM allows to create the basic configuration in a few clicks. It is recommended to use it in order to avoid mistakes.

Crypto map configuration:

crypto dynamic-map DYN 1 set pfs group1
crypto dynamic-map DYN 1 set ikev2 ipsec-proposal secure
crypto dynamic-map DYN 1 set reverse-route
crypto map STATIC 65535 ipsec-isakmp dynamic DYN
crypto map STATIC interface outside

IPsec proposals (example):

crypto ipsec ikev2 ipsec-proposal secure
 protocol esp encryption aes 3des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256-SHA
 protocol esp encryption aes-256
 protocol esp integrity sha-1

IKEv2 policies (example):

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400

crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400

crypto ikev2 policy 40

 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400

Enabling client services and certificate on correct interface; in this case, outside.

crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint OUTSIDE
! You will notice that the same trustpoint is also assigned for SSL, this is intended and required!!!
ssl trust-point OUTSIDE outside

Enabling AnyConnect and profile:

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1 regex "Windows NT"
 anyconnect profiles Anyconnect disk0:/anyconnect.xml
 anyconnect enable
 tunnel-group-list enable

Basic username, group-policy and tunnel-group configuration.

group-policy GroupPolicy_AC internal
group-policy GroupPolicy_AC attributes

 dns-server value 4.2.2.2
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value cisco.com
 webvpn
 anyconnect profiles value Anyconnect type user

username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group AC type remote-access
tunnel-group AC general-attributes
 address-pool VPN-POOL
 default-group-policy GroupPolicy_AC
tunnel-group AC webvpn-attributes
 authentication aaa certificate
 group-alias AC enable
 group-url https://bsns-asa5520-1.cisco.com/AC enable
 without-csd

AnyConnect profile

The following is an example profile, relevant parts in bold:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
	<ClientInitialization>
		<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
		<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
		<ShowPreConnectMessage>false</ShowPreConnectMessage>
		<CertificateStore>All</CertificateStore>
		<CertificateStoreOverride>false</CertificateStoreOverride>
		<ProxySettings>Native</ProxySettings>
		<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
		<AuthenticationTimeout>12</AuthenticationTimeout>
		<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
		<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
		<LocalLanAccess UserControllable="true">false</LocalLanAccess>
		<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
		<AutoReconnect UserControllable="false">true
			<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</Auto
ReconnectBehavior>
		</AutoReconnect>
		<AutoUpdate UserControllable="false">true</AutoUpdate>
		<RSASecurIDIntegration UserControllable="true">Automatic</RSASecurIDIntegration>
		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
		<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
		<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
		<PPPExclusion UserControllable="false">Disable
			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
		</PPPExclusion>
		<EnableScripting UserControllable="false">false</EnableScripting>
		<EnableAutomaticServerSelection UserControllable="false">false
			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
		</EnableAutomaticServerSelection>
		<RetainVpnOnLogoff>false
		</RetainVpnOnLogoff>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>bsns-asa5520-1</HostName>
			<HostAddress>bsns-asa5520-1.cisco.com</HostAddress>
			<UserGroup>AC</UserGroup>
		<PrimaryProtocol>IPsec</PrimaryProtocol>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

Connection - user's perspective

This section shows the user's persective of connection when the profile is already present.

It is important to note that the information the user has to put in GUI to connect is the value behind <HostName>. In this case, bsns-asa5520-1 (not the full FQDN) is entered.

As first step the gateway prompts the user to select certificate (if automatic certificate selection is disabled).

ac-ikev2-ca-01.gif

Then, for username and password:

ac-ikev2-ca-02.gif

The connection is successful and AnyConnect statistics can be verified.

ac-ikev2-ca-03.gif

Verification on ASA

Verify on the ASA that this connection is using IKEv2, and both AAA and certificate authentication.

bsns-asa5520-1# show vpn-sessiondb detail anyconnect filter name cisco
Session Type: AnyConnect Detailed
Username : cisco Index : 6
Assigned IP : 172.16.99.5 Public IP : 1.2.3.4
Protocol : IKEv2 IPsecOverNatT AnyConnect-Parent
License : AnyConnect Premium
Encryption : AES256 AES128 Hashing : none SHA1 SHA1
Bytes Tx : 0 Bytes Rx : 960
Pkts Tx : 0 Pkts Rx : 10
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy_AC Tunnel Group : AC
Login Time : 15:45:41 UTC Tue Aug 28 2012
Duration : 0h:02m:41s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
IKEv2 Tunnels: 1
IPsecOverNatT Tunnels: 1
AnyConnect-Parent Tunnels: 1
AnyConnect-Parent:
 Tunnel ID : 6.1
 Public IP : 1.2.3.4
 Encryption : none Auth Mode : Certificate and userPassword
 Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
 Client Type : AnyConnect
 Client Ver : 3.0.08057
IKEv2:
 Tunnel ID : 6.2
 UDP Src Port : 60468 UDP Dst Port : 4500
 Rem Auth Mode: Certificate and userPassword
 Loc Auth Mode: rsaCertificate
 Encryption : AES256 Hashing : SHA1

 Rekey Int (T): 86400 Seconds Rekey Left(T): 86238 Seconds
 PRF : SHA1 D/H Group : 5
 Filter Name :
 Client OS : Windows
IPsecOverNatT:
 Tunnel ID : 6.3
 Local Addr : 0.0.0.0/0.0.0.0/0/0
 Remote Addr : 172.16.99.5/255.255.255.255/0/0

 Encryption : AES128 Hashing : SHA1
 Encapsulation: Tunnel
 Rekey Int (T): 28800 Seconds Rekey Left(T): 28638 Seconds
 Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
 Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
 Bytes Tx : 0 Bytes Rx : 960
 Pkts Tx : 0 Pkts Rx : 10

Known caveats and issues

  • IKEv2 and SSL trustpoints need to be the same.

  • It is recommended to use FQDN as the CN in ASA side certificates. Make sure to reference the same FQDN in AnyConnect profile in <HostAddress>.

  • On the client side when connecting, remember to put in the value visible in the AnyConnect profile in the <HostName> section.

  • Even in the IKEv2 configuration, AnyConnect connecting to the ASA will download profile and binary updates over SSL, but not IPsec.

  • AnyConnect connection over IKEv2 to ASA is utilizing EAP-AnyConnect, a proprietary mechanism that allows simpler implementation.

Related Information

Updated: Oct 10, 2012
Document ID: 113692